As a user, I want to change/set password by OTP (#474)

* Fix url classwork detail

* Set Password

* Reset password

* UI

* Test Mail

* Handle

Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>

Author: nhatminh0509

packages/server/schema.gql

@@ -45,6 +45,8 @@ type Account implements BaseModel {
   username: String!
   email: String!
   displayName: String
+  otp: String
+  otpExpired: DateTime
   status: AccountStatus!
   roles: [String!]!
   availability: AccountAvailability!
@@ -315,6 +317,8 @@ type Mutation {
   createOrgAccount(input: CreateAccountInput!): Account!
   updateAccount(updateInput: UpdateAccountInput!, id: ID!): Account!
   updateAccountStatus(status: String!, id: ID!): Account!
+  setPassword(otp: String!, password: String!, usernameOrEmail: String!): Account!
+  callOTP(type: String!, usernameOrEmail: String!): Account!
   signIn(
     password: String!
 

packages/server/src/core/utils/string.ts

@@ -20,3 +20,14 @@ export const stringWithoutSpecialCharacters = (
     /^[a-zA-ZÀÁÂÃÈÉÊÌÍÒÓÔÕÙÚĂĐĨŨƠàáâãèéêìíòóôõùúăđĩũơƯĂẠẢẤẦẨẪẬẮẰẲẴẶẸẺẼỀỀỂẾưăạảấầẩẫậắằẳẵặẹẻẽềềểếỄỆỈỊỌỎỐỒỔỖỘỚỜỞỠỢỤỦỨỪễệỉịọỏốồổỗộớờởỡợụủứừỬỮỰỲỴÝỶỸửữựỳỵỷỹ\s]+$/
   return regex.test(inputString)
 }
+
+export const generateString = (length: number): string => {
+  const characters =
+    'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
+  let result = ''
+  for (let i = 0; i < length; i += 1) {
+    result += characters.charAt(Math.floor(Math.random() * characters.length))
+  }
+
+  return result
+}

packages/server/src/modules/academic/academic.service.spec.ts

@@ -4,6 +4,7 @@ import { Connection } from 'mongoose'
 import { Publication } from 'core'
 import { objectId } from 'core/utils/db'
 import { createTestingModule, initTestDb } from 'core/utils/testing'
+import { AccountStatus } from 'modules/account/models/Account'
 import { ClassworkService } from 'modules/classwork/classwork.service'
 import { AvgGradeOfClassworkByCourseOptionInput } from 'modules/classwork/classwork.type'
 import { OrgOfficeService } from 'modules/orgOffice/orgOffice.service'
@@ -2229,6 +2230,7 @@ describe('academic.service', () => {
           username: 'thanhthanh',
           roles: ['student'],
           displayName: 'Huynh Thanh Thanh',
+          status: AccountStatus.Active,
         })
 
         const accStudent2 = await accountService.createAccount({
@@ -2238,22 +2240,27 @@ describe('academic.service', () => {
           username: 'thanhthanh2',
           roles: ['student'],
           displayName: 'Huynh Thanh Thanh',
+          status: AccountStatus.Active,
         })
 
         const accLecturer = await accountService.createAccount({
           roles: ['lecturer'],
           email: '[email protected]',
+          password: '123456',
           username: 'thanhcanh',
           orgId: org.id,
           displayName: 'Huynh Thanh Canh',
+          status: AccountStatus.Active,
         })
 
         const accAdmin = await accountService.createAccount({
           roles: ['admin'],
           username: 'thanhcanh123',
+          password: '123456',
           orgId: org.id,
           email: '[email protected]',
           displayName: 'Huynh Thanh Canh Thanh',
+          status: AccountStatus.Active,
         })
 
         const academicSubject = await academicService.createAcademicSubject({
@@ -2322,7 +2329,7 @@ describe('academic.service', () => {
         )
 
         await authService.signIn({
-          password: '[email protected]',
+          password: '123456',
           usernameOrEmail: '[email protected]',
           orgNamespace: 'kmin-edu',
         })

packages/server/src/modules/account/account.const.ts

@@ -1 +1,2 @@
 export const ACCOUNT_PWD_MIN = 8
+export const OTP_TIME = 15

packages/server/src/modules/account/account.module.ts

@@ -2,6 +2,7 @@ import { forwardRef, Global, Module } from '@nestjs/common'
 import { TypegooseModule } from 'nestjs-typegoose'
 
 import { AuthModule } from 'modules/auth/auth.module'
+import { MailModule } from 'modules/mail/mail.module'
 
 import { AccountResolver } from './account.resolver'
 import { AccountService } from './account.service'
@@ -10,6 +11,7 @@ import { Account } from './models/Account'
 @Global()
 @Module({
   imports: [
+    MailModule,
     forwardRef(() => AuthModule),
     TypegooseModule.forFeature([Account]),
   ],

packages/server/src/modules/account/account.resolver.ts

@@ -121,6 +121,26 @@ export class AccountResolver {
     )
   }
 
+  @Mutation((_returns) => Account)
+  @UsePipes(ValidationPipe)
+  async setPassword(
+    @Args('usernameOrEmail', { type: () => String }) usernameOrEmail: string,
+    @Args('password', { type: () => String }) password: string,
+    @Args('otp', { type: () => String }) otp: string,
+  ): Promise<Account> {
+    return this.accountService.setPassword(usernameOrEmail, password, otp)
+  }
+
+  @Mutation((_returns) => Account)
+  @UsePipes(ValidationPipe)
+  async callOTP(
+    @Args('usernameOrEmail', { type: () => String }) usernameOrEmail: string,
+    @Args('type', { type: () => String })
+    type: 'ACTIVE_ACCOUNT' | 'RESET_PASSWORD',
+  ): Promise<Account> {
+    return this.accountService.callOTP(usernameOrEmail, type)
+  }
+
   @ResolveField((_returns) => AccountAvailability)
   availability(@Parent() account: Account): AccountAvailability {
     if (!account.lastActivityAt) {

packages/server/src/modules/account/account.service.spec.ts

@@ -116,28 +116,7 @@ describe('account.service', () => {
       ).rejects.toThrow('Org ID is invalid')
     })
 
-    it(`sets default password as email`, async () => {
-      expect.assertions(1)
-
-      jest
-        .spyOn(accountService['orgService'], 'validateOrgId')
-        .mockResolvedValueOnce(true as never)
-
-      const testCreateAccountServiceInput: CreateAccountServiceInput = {
-        ...createAccountServiceInput,
-        password: '',
-      }
-
-      const testAccount = await accountService.createAccount(
-        testCreateAccountServiceInput,
-      )
-
-      await expect(
-        compareSync(testCreateAccountServiceInput.email, testAccount.password),
-      ).toBe(true)
-    })
-
-    it(`sets default status as ACTIVE`, async () => {
+    it(`sets default status as Pending`, async () => {
       expect.assertions(1)
 
       jest
@@ -148,7 +127,7 @@ describe('account.service', () => {
         createAccountServiceInput,
       )
 
-      await expect(testAccount.status).toBe(AccountStatus.Active)
+      await expect(testAccount.status).toBe(AccountStatus.Pending)
     })
 
     it(`replaces duplicated spaces in displayName by single spaces`, async () => {
@@ -220,7 +199,7 @@ describe('account.service', () => {
       expect(account).toMatchObject({
         email: '[email protected]',
         lastActivityAt: null,
-        status: 'Active',
+        status: 'Pending',
         username: 'duongdev',
       })
       expect(account.orgId).toBeDefined()

packages/server/src/modules/account/account.service.ts

@@ -1,3 +1,4 @@
+/* eslint-disable no-process-env */
 import { forwardRef, Inject } from '@nestjs/common'
 import { DocumentType, ReturnModelType } from '@typegoose/typegoose'
 import * as bcrypt from 'bcrypt'
@@ -7,14 +8,17 @@ import { ForbiddenError } from 'type-graphql'
 import { Service, InjectModel, Logger } from 'core'
 import { isObjectId } from 'core/utils/db'
 import {
+  generateString,
   removeExtraSpaces,
   stringWithoutSpecialCharacters,
 } from 'core/utils/string'
 import { AuthService } from 'modules/auth/auth.service'
 import { OrgRoleName, Permission } from 'modules/auth/models'
+import { MailService } from 'modules/mail/mail.service'
 import { OrgService } from 'modules/org/org.service'
 import { ANY, Nullable } from 'types'
 
+import { OTP_TIME } from './account.const'
 import { CreateAccountServiceInput } from './account.type'
 import { Account, AccountStatus } from './models/Account'
 
@@ -29,6 +33,8 @@ export class AccountService {
     private readonly authService: AuthService,
     @Inject(forwardRef(() => OrgService))
     private readonly orgService: OrgService,
+    @Inject(forwardRef(() => MailService))
+    private readonly mailService: MailService,
   ) {}
 
   async createAccount(
@@ -62,20 +68,29 @@ export class AccountService {
       throw new Error('displayName contains invalid characters')
     }
 
+    const otp = generateString(20)
+
+    const otpExpired = new Date()
+    otpExpired.setMinutes(otpExpired.getMinutes() + OTP_TIME)
+
     const account = await this.accountModel.create({
       username: accountInput.username,
       email: accountInput.email,
-      password: bcrypt.hashSync(
-        accountInput.password || accountInput.email,
-        10,
-      ),
+      password: bcrypt.hashSync(accountInput.password || '', 10),
+      otp,
+      otpExpired,
       orgId: accountInput.orgId,
       createdBy: accountInput.createdByAccountId,
       status: accountInput.status,
       roles: uniq(accountInput.roles),
       displayName: removeExtraSpaces(accountInput.displayName),
     })
 
+    if (process.env.NODE_ENV !== 'test') {
+      this.mailService
+        .sendOTP(account, 'ACTIVE_ACCOUNT')
+        .then(() => this.logger.log('Send mail success!'))
+    }
     this.logger.log(`[${this.createAccount.name}] Created account successfully`)
     this.logger.verbose(account.toObject())
 
@@ -366,4 +381,75 @@ export class AccountService {
 
     return updateAccount
   }
+
+  async setPassword(
+    usernameOrEmail: string,
+    password: string,
+    otp: string,
+  ): Promise<DocumentType<Account>> {
+    const account = await this.accountModel.findOne({
+      $or: [{ email: usernameOrEmail }, { username: usernameOrEmail }],
+    })
+
+    if (!account) {
+      throw new Error('Account not found')
+    }
+    const current = new Date()
+    if (account.status === AccountStatus.Deactivated) {
+      throw new Error('Account has been deactivated')
+    }
+    if (account.otp !== otp) {
+      throw new Error('OTP invalid')
+    }
+    if (account.otpExpired.getTime() < current.getTime()) {
+      throw new Error('OTP expired')
+    }
+
+    if (account.status === AccountStatus.Pending) {
+      account.status = AccountStatus.Active
+    }
+    account.otp = ''
+    account.otpExpired = new Date(current.setHours(current.getHours() - 1))
+    account.password = bcrypt.hashSync(password, 10)
+    const afterAccount = await account.save()
+
+    return afterAccount
+  }
+
+  async callOTP(
+    usernameOrEmail: string,
+    type: 'ACTIVE_ACCOUNT' | 'RESET_PASSWORD',
+  ): Promise<DocumentType<Account>> {
+    const account = await this.accountModel.findOne({
+      $or: [{ email: usernameOrEmail }, { username: usernameOrEmail }],
+    })
+
+    if (!account) {
+      throw new Error('Account not found')
+    }
+    if (account.status === AccountStatus.Deactivated) {
+      throw new Error('Account has been deactivated')
+    }
+    const current = new Date()
+    if (account.otpExpired.getTime() > current.getTime()) {
+      throw new Error(
+        `Don't spam, please try again after ${account.otpExpired.getHours()}:${account.otpExpired.getMinutes()}`,
+      )
+    }
+    const otp = generateString(20)
+    const otpExpired = new Date()
+    otpExpired.setMinutes(otpExpired.getMinutes() + OTP_TIME)
+    account.otp = otp
+    account.otpExpired = otpExpired
+
+    const afterAccount = await account.save()
+
+    if (process.env.NODE_ENV !== 'test') {
+      this.mailService
+        .sendOTP(afterAccount, type)
+        .then(() => this.logger.log('Send mail success!'))
+    }
+
+    return afterAccount
+  }
 }

packages/server/src/modules/account/models/Account.ts

@@ -50,12 +50,20 @@ export class Account extends BaseModel {
   @prop({ required: true })
   password: string
 
+  @Field({ nullable: true })
+  @prop({ nullable: true })
+  otp: string
+
+  @Field({ nullable: true })
+  @prop({ nullable: true })
+  otpExpired: Date
+
   @Field((_type) => AccountStatus)
   @prop({
     enum: AccountStatus,
     type: String,
     index: true,
-    default: AccountStatus.Active,
+    default: AccountStatus.Pending,
   })
   status: AccountStatus